Overview of the ACE Troubleshooting Process

See the ACE module release notes for your software version for the latest features, operating considerations, caveats, and CLI command changes.

Before you introduce configuration changes, use the ACE checkpoint feature to bookmark a known good configuration and save your configuration. If you run into problems with the new configuration, you can roll back the new configuration to the known good configuration. See the Cisco Application Control Engine Module Administration Guide. Troubleshoot new configuration changes immediately after adding them.

Verify that your configuration is correct for your network application. Make any required changes to the running-config file, and then test the configuration. If it is satisfactory, save it to the startup-config file using the copy running-config startup-config command for a particular virtual context or the write memory command from the Admin context to copy all running-config files in every virtual context to their respective startup-config files.

After you have determined that your troubleshooting attempts have not resolved the problem, contact the Cisco Technical Assistance Center (TAC) or your technical support representative. See the "Contacting Cisco Technical Support" section.

Verifying the ACE Image

To display the version of the software image and the image filename that is currently running in your ACE, enter the following command:

Gathering ACE Troubleshooting Information

The following sections recommend ways to gather information that is relevant to the problem that is occurring.

Rebooting the ACE

Do not reboot the ACE unless it is absolutely necessary. Some information that is important to troubleshooting your problem may not survive a reboot. Try to gather as much information as possible before rebooting.

Using show Commands

You can use a number of show commands in Exec mode to gather information specific to the symptoms you are observing in your ACE. In most cases, you can gather the information you need to troubleshoot the ACE by entering the show tech-support command. This command runs many show commands that are useful for troubleshooting the ACE. You can redirect the output of the show tech-support command to one the following destinations:

ACE_module5/Admin# show tech-support > ?
<File> Name of file to redirect stdout.
disk0: Enter the URI to redirect the output.
ftp: Enter the URI to redirect the output.
sftp: Enter the URI to redirect the output.
tftp: Enter the URI to redirect the output.
volatile: Enter the URI to redirect the output.

Capturing Packets in Real Time

Capturing packets (sometimes referred to as a "TCP dump") is a useful aid in troubleshooting connectivity problems with the ACE or for monitoring suspicious activity. The ACE can track packet information for network traffic that passes through the ACE. The attributes of the packet are defined by an ACL. The ACE buffers the captured packets, and you can copy the buffered contents to a file in Flash memory on the ACE or to a remote server. You can also display the captured packet information on your console or terminal.

The ACE captures packets subject to the following guidelines:

One capture session is used per context

Capture is triggered at flow setup

Capture is configured on the client interface where the flow is received

Note:

Probe traffic will not hit a security ACL, so ACLs cannot control the capture of those packets. Therefore, probe traffic cannot be captured by the packet capture utility.

If possible, you should capture packets using the ACE packet capturing utility before and after symptoms appear. Save the packet captures to a file.

To capture packets in real time, follow these steps:

1. Create an ACL for packet capturing or use an existing ACL if it meets the packet capture requirements by entering the following command:

If you view the ACE capture file in a third-party sniffer (for example, Wireshark), you will notice only the messages or type PKT_RCV and PKT_XMT are displayed. This situation is expected because the sniffer is not aware of the ACE's internal messaging.

Copying Core Dumps

If the ACE fails with a core dump, the core dump files may contain useful information. The core dump files reside in the core: directory. To view the contents of the core: directory, enter the following command:

If a host is one hop away and you are unable to reach the host, then ping the intermediary gateway. If the gateway is not reachable, enter the show ip route command and check to make sure that the correct route is displayed. For example, enter:

2. Verify that the ACE is connected to the switch fabric of the Catalyst 6500 series switch or the Cisco 7600 series router. The ACE uses a 10-Gigabit Ethernet switch fabric interface (SFI) to connect to the chassis backplane as opposed to the CSM, which uses a port channel. The ACE uses the following format for this interface:

Te<slot>/1

For example, if the ACE is in slot 5, you can see the status of the backplane connection by entering the following command on the Catalyst 6500 series switch or the Cisco 7600 series router:

Contacting Cisco Technical Support

If you are unable to resolve a problem after using the troubleshooting suggestions in the articles in this wiki, contact the Cisco Technical Assistance Center (TAC) for assistance and further instructions. Before you call, have the following information ready to help your TAC engineer assist you as quickly as possible:

Date that you received the ACE

Chassis serial number (located on a label on the right side of the rear panel of the chassis)

Type of software and release number (if possible, enter the show version command)

Maintenance agreement or warranty information

Brief description of the problem

Brief explanation of the steps that you have already taken to isolate and resolve the problem